Facebook Bug Bounty: Clickjacking

10:14 AM

Note: this is actually a guest post from a friend, Sahad Nk with his
recently patched Facebook Clickjacking bug. The exploit was really interesting
so I really hope you enjoy it.

ClickJacking:

According to OWASP: Clickjacking, also known as a "UI redress
attack", is when an attacker uses multiple transparent or opaque layers to
trick a user into clicking on a button or link on another page when they were
intending to click on the the top level page. Thus, the attacker is
"hijacking" clicks meant for their page and routing them to another
page, most likely owned by another application, domain, or both.

Using a similar technique, keystrokes can also be hijacked. With a carefully
crafted combination of stylesheets, iframes, and text boxes, a user can be led
to believe they are typing in the password to their email or bank account, but
are instead typing into an invisible frame controlled by the
attacker.

According to me: Clickjacking is an interesting and simple way of exploiting
a web application that can lead to serious issues (transfer funds,
messaging...). The idea is actually really simple:

We frame a certain website A within an Iframe and using stylesheets, we made
it invisible/hidden (when it exists in the background) and reconstruct another
site before it. So while you click something on the attacker controlled site, I
can actually make you click a button in the framed website.

Owasp have a good example for ClickJacking: For example, imagine an attacker
who builds a web site that has a button on it that says "click here for a
free iPod". However, on top of that web page, the attacker has loaded an
iframe with your mail account, and lined up exactly the "delete all
messages" button directly on top of the "free iPod" button. The
victim tries to click on the "free iPod" button but instead actually
clicked on the invisible "delete all messages" button. In essence,
the attacker has "hijacked" the user's click, hence the name
"Clickjacking".

The simplest and effective fix for this is the X-Frame-Options header. Even
though, Facebook was using one, here is how I bypassed it to make me an
attacker do post a status update. :)

The Exploit:

The exploit is really simple and effective; Facebook defends click-jacking
in 2 ways. One is alternative to the other. They also use a technique called
Frame-busting (using javascript to deny framing request). On interfaces which
don't have a JS support it is sending XFO, not as a
HTTP header, but in a meta tag by putting it in a <noscript> tag

Meta-tags that attempt to apply the X-Frame-Options directive DO NOT WORK.
For example, <meta http-equiv="X-Frame-­Options"
content="deny">) will not work. You must apply the X-FRAME-OPTIONS
directive as HTTP Response Header.

The main point here is browsers ignores what is given in meta tag and do not
defend framing, (tested in Firefox 35).

On interfaces which require JS support, it is possible to bypass JS
frame-busting by giving a sandbox in the iframe like:

Thank you for giving this type of nice article.I am very glad to inform you that it is very understand everything that you said.Really i wish to thank you.It is about deadly thesis and you cover everything that related information.It is nice post with understanding a lot.best essay writing service is the better service that provides detailed and effective information related to educational basis.

Hi,Very sensible, your article to take a gander at this is thought. I am particularly captivating this article. I like it. I am forward to another article with you. thankful to you. Anshita Escorts in Gurgaon

this is actually a guest post from a friend, Sahad Nk with his recently patched Facebook Clickjacking bug. The exploit was really interesting so I really hope you enjoy it. find out best shirts and t-shirts with wide variety of famous brands in cheap rates at Buy Online In Pakistan

Simple as that, it was possible to iframe Facebook and make you do undesirable amount of things. IT experts, it solutions, IT Experts Agency, Technical Support & IT Solutions, NOC, network monitoring, SEO, PPC, Google Adwords, Graphic Designing IT Experts Agency

the escorts in Delhi are really breathtaking companions for you. They gauge from every angle and hug and love you accordingly. While having interaction with them, do not hide anything from them. Let them know what you like and what you do not like. Even if you are novice, you will be provided guidance by them.Delhi escort services

Delhi is one of the most happening place in India for fun, joy and services, services like which gives you pleasure a lot of pleasure, we provide pleasure through Delhi escort services with a touch of professionalism and most importantly with client satisfaction.Escort services in Delhi

About Paulos

I am currently specializing in application security and client side offensive exploit research. I really enjoy breaking things. I occasionally do bug bounties, with notable references such as Coinbase, Facebook,Twitter& more.